From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+6bb23a5d5548b93c94aa@syzkaller.appspotmail.com,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 5.12 048/127] ALSA: usb-audio: Validate MS endpoint descriptors
Date: Mon, 24 May 2021 17:26:05 +0200 [thread overview]
Message-ID: <20210524152336.470419655@linuxfoundation.org> (raw)
In-Reply-To: <20210524152334.857620285@linuxfoundation.org>
From: Takashi Iwai <tiwai@suse.de>
commit e84749a78dc82bc545f12ce009e3dbcc2c5a8a91 upstream.
snd_usbmidi_get_ms_info() may access beyond the border when a
malformed descriptor is passed. This patch adds the sanity checks of
the given MS endpoint descriptors, and skips invalid ones.
Reported-by: syzbot+6bb23a5d5548b93c94aa@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210510150659.17710-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1889,8 +1889,12 @@ static int snd_usbmidi_get_ms_info(struc
ms_ep = find_usb_ms_endpoint_descriptor(hostep);
if (!ms_ep)
continue;
+ if (ms_ep->bLength <= sizeof(*ms_ep))
+ continue;
if (ms_ep->bNumEmbMIDIJack > 0x10)
continue;
+ if (ms_ep->bLength < sizeof(*ms_ep) + ms_ep->bNumEmbMIDIJack)
+ continue;
if (usb_endpoint_dir_out(ep)) {
if (endpoints[epidx].out_ep) {
if (++epidx >= MIDI_MAX_ENDPOINTS) {
next prev parent reply other threads:[~2021-05-24 16:04 UTC|newest]
Thread overview: 138+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 15:25 [PATCH 5.12 000/127] 5.12.7-rc1 review Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 001/127] firmware: arm_scpi: Prevent the ternary sign expansion bug Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 002/127] openrisc: Fix a memory leak Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 003/127] tee: amdtee: unload TA only when its refcount becomes 0 Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 004/127] habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 005/127] RDMA/siw: Properly check send and receive CQ pointers Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 006/127] RDMA/siw: Release xarray entry Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 007/127] RDMA/core: Prevent divide-by-zero error triggered by the user Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 008/127] platform/x86: ideapad-laptop: fix a NULL pointer dereference Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 009/127] RDMA/rxe: Clear all QP fields if creation failed Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 010/127] scsi: ufs: core: Increase the usable queue depth Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 011/127] scsi: qedf: Add pointer checks in qedf_update_link_speed() Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 012/127] scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 013/127] RDMA/mlx5: Recover from fatal event in dual port mode Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 014/127] RDMA/rxe: Split MEM into MR and MW Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 015/127] RDMA/rxe: Return CQE error if invalid lkey was supplied Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 016/127] RDMA/core: Dont access cm_id after its destruction Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 017/127] nvmet: fix memory leak in nvmet_alloc_ctrl() Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 018/127] nvme-loop: fix memory leak in nvme_loop_create_ctrl() Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 019/127] nvme-tcp: rerun io_work if req_list is not empty Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 020/127] nvme-fc: clear q_live at beginning of association teardown Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 021/127] platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 022/127] platform/x86: intel_int0002_vgpio: Only call enable_irq_wake() when using s2idle Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 023/127] platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 024/127] RDMA/mlx5: Fix query DCT via DEVX Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 025/127] RDMA/uverbs: Fix a NULL vs IS_ERR() bug Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 026/127] tools/testing/selftests/exec: fix link error Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 027/127] drm/ttm: Do not add non-system domain BO into swap list Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 028/127] powerpc/pseries: Fix hcall tracing recursion in pv queued spinlocks Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 029/127] ptrace: make ptrace() fail if the tracee changed its pid unexpectedly Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 030/127] nvmet: seset ns->file when open fails Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 031/127] perf/x86: Avoid touching LBR_TOS MSR for Arch LBR Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 032/127] locking/lockdep: Correct calling tracepoints Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 033/127] locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 034/127] powerpc: Fix early setup to make early_ioremap() work Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 035/127] btrfs: avoid RCU stalls while running delayed iputs Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 036/127] btrfs: fix removed dentries still existing after log is synced Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 037/127] btrfs: zoned: pass start block to btrfs_use_zone_append Greg Kroah-Hartman
2021-05-25 12:01 ` David Sterba
2021-05-24 15:25 ` [PATCH 5.12 038/127] btrfs: zoned: fix parallel compressed writes Greg Kroah-Hartman
2021-05-25 12:00 ` David Sterba
2021-05-25 12:20 ` Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 039/127] cifs: fix memory leak in smb2_copychunk_range Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 040/127] fs/mount_setattr: tighten permission checks Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 041/127] misc: eeprom: at24: check suspend status before disable regulator Greg Kroah-Hartman
2021-05-24 15:25 ` [PATCH 5.12 042/127] ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 043/127] ALSA: intel8x0: Dont update period unless prepared Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 044/127] ALSA: firewire-lib: fix amdtp_packet tracepoints event for packet_index field Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 045/127] ALSA: line6: Fix racy initialization of LINE6 MIDI Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 046/127] ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 047/127] ALSA: firewire-lib: fix calculation for size of IR context payload Greg Kroah-Hartman
2021-05-24 15:26 ` Greg Kroah-Hartman [this message]
2021-05-24 15:26 ` [PATCH 5.12 049/127] ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 050/127] ALSA: hda: fixup headset for ASUS GU502 laptop Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 051/127] Revert "ALSA: sb8: add a check for request_region" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 052/127] ALSA: firewire-lib: fix check for the size of isochronous packet payload Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 053/127] ALSA: hda/realtek: reset eapd coeff to default value for alc287 Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 054/127] ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 055/127] ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 056/127] ALSA: hda/realtek: Add fixup for HP OMEN laptop Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 057/127] ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 058/127] ALSA: usb-audio: Configure Pioneer DJM-850 samplerate Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 059/127] ALSA: usb-audio: DJM-750: ensure format is set Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 060/127] uio/uio_pci_generic: fix return value changed in refactoring Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 061/127] uio_hv_generic: Fix a memory leak in error handling paths Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 062/127] uio_hv_generic: Fix another " Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 063/127] platform/x86: ideapad-laptop: fix method name typo Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 064/127] Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 065/127] rapidio: handle create_workqueue() failure Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 066/127] Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 067/127] nvme-tcp: fix possible use-after-completion Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 068/127] x86/build: Fix location of -plugin-opt= flags Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 069/127] x86/sev-es: Move sev_es_put_ghcb() in prep for follow on patch Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 070/127] x86/sev-es: Invalidate the GHCB after completing VMGEXIT Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 071/127] x86/sev-es: Dont return NULL from sev_es_get_ghcb() Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 072/127] x86/sev-es: Use __put_user()/__get_user() for data accesses Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 073/127] x86/sev-es: Forward page-faults which happen during emulation Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 074/127] drm/i915/gem: Pin the L-shape quirked object as unshrinkable Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 075/127] drm/amd/display: Use the correct max downscaling value for DCN3.x family Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 076/127] drm/radeon: use the dummy page for GART if needed Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 077/127] drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 078/127] drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 079/127] drm/amdgpu: update gc golden setting for Navi12 Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 080/127] drm/amdgpu: update sdma " Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 081/127] dma-buf: fix unintended pin/unpin warnings Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 082/127] powerpc/64s/syscall: Use pt_regs.trap to distinguish syscall ABI difference between sc and scv syscalls Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 083/127] powerpc/64s/syscall: Fix ptrace syscall info with " Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 084/127] mmc: sdhci-pci-gli: increase 1.8V regulator wait Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 085/127] mmc: meson-gx: make replace WARN_ONCE with dev_warn_once about scatterlist offset alignment Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 086/127] mmc: meson-gx: also check SD_IO_RW_EXTENDED for scatterlist size alignment Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 087/127] gpio: tegra186: Dont set parent IRQ affinity Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 088/127] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 089/127] xen-pciback: reconfigure also from backend watch handler Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 090/127] ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 091/127] userfaultfd: hugetlbfs: fix new flag usage in error path Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 092/127] Revert "mm/gup: check page posion status for coredump." Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 093/127] dm snapshot: fix a crash when an origin has no snapshots Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 094/127] dm snapshot: fix crash with transient storage and zero chunk size Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 095/127] kcsan: Fix debugfs initcall return type Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 096/127] Revert "video: hgafb: fix potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 097/127] Revert "net: stmicro: fix a missing check of clk_prepare" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 098/127] Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 099/127] Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 100/127] Revert "video: imsttfb: fix potential NULL pointer dereferences" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 101/127] Revert "ecryptfs: replace BUG_ON with error handling code" Greg Kroah-Hartman
2021-05-24 15:26 ` [PATCH 5.12 102/127] Revert "scsi: ufs: fix a missing check of devm_reset_control_get" Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 103/127] Revert "gdrom: fix a memory leak bug" Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 104/127] cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 105/127] cdrom: gdrom: initialize global variable at init time Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 106/127] Revert "media: rcar_drif: fix a memory disclosure" Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 107/127] Revert "rtlwifi: fix a potential NULL pointer dereference" Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 108/127] Revert "qlcnic: Avoid " Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 109/127] Revert "niu: fix missing checks of niu_pci_eeprom_read" Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 110/127] ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 111/127] net: stmicro: handle clk_prepare() failure during init Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 112/127] scsi: ufs: handle cleanup correctly on devm_reset_control_get error Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 113/127] net: rtlwifi: properly check for alloc_workqueue() failure Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 114/127] ics932s401: fix broken handling of errors when word reading fails Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 115/127] leds: lp5523: check return value of lp5xx_read and jump to cleanup code Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 116/127] qlcnic: Add null check after calling netdev_alloc_skb Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 117/127] video: hgafb: fix potential NULL pointer dereference Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 118/127] vgacon: Record video mode changes with VT_RESIZEX Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 119/127] vt_ioctl: Revert VT_RESIZEX parameter handling removal Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 120/127] vt: Fix character height handling with VT_RESIZEX Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 121/127] tty: vt: always invoke vc->vc_sw->con_resize callback Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 122/127] drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 123/127] openrisc: mm/init.c: remove unused memblock_region variable in map_ram() Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 124/127] x86/Xen: swap NX determination and GDT setup on BSP Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 125/127] nvme-multipath: fix double initialization of ANA state Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 126/127] rtc: pcf85063: fallback to parent of_node Greg Kroah-Hartman
2021-05-24 15:27 ` [PATCH 5.12 127/127] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path Greg Kroah-Hartman
2021-05-24 17:56 ` [PATCH 5.12 000/127] 5.12.7-rc1 review Rudi Heitbaum
2021-05-24 18:59 ` Fox Chen
2021-05-24 22:03 ` Shuah Khan
2021-05-24 22:12 ` Florian Fainelli
2021-05-25 6:32 ` Naresh Kamboju
2021-05-25 13:33 ` Justin Forbes
2021-05-25 21:27 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210524152336.470419655@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+6bb23a5d5548b93c94aa@syzkaller.appspotmail.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).